Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 02:00
Behavioral task
behavioral1
Sample
Lotus.exe
Resource
win7-20230220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
Lotus.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
Lotus.exe
-
Size
136KB
-
MD5
b9d014296827c8d325ba1e1b0f4b2793
-
SHA1
8749106256cdca0d200f76728d0a873dd13c22e9
-
SHA256
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
-
SHA512
6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
SSDEEP
3072:rssOu1QbkQzxsf9vIyqhSJTibjMJGEA1u4B+:rsslkkQMvqUibg8EEj+
Score
10/10
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4836-135-0x0000000000710000-0x0000000000738000-memory.dmp revengerat behavioral2/memory/4836-138-0x0000000000710000-0x0000000000738000-memory.dmp revengerat behavioral2/memory/4836-141-0x0000000000710000-0x0000000000738000-memory.dmp revengerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Lotus.exedescription pid process target process PID 2396 set thread context of 4836 2396 Lotus.exe aspnet_compiler.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4900 4836 WerFault.exe aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Lotus.exedescription pid process Token: SeDebugPrivilege 2396 Lotus.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Lotus.exedescription pid process target process PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe PID 2396 wrote to memory of 4836 2396 Lotus.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lotus.exe"C:\Users\Admin\AppData\Local\Temp\Lotus.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 2003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4836 -ip 48361⤵